JS: Use routing trees to detect deeply tainted req.body

2026-05-12 10:19:29 +02:00 · 2021-10-28 09:57:06 +02:00
parent 7492293c5b
commit da8e67b7ee
3 changed files with 8 additions and 5 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
@@ -613,10 +613,9 @@ module Express {

    override predicate isUserControlledObject() {
      kind = "body" and
-      exists(ExpressLibraries::BodyParser bodyParser, RouteHandlerExpr expr |
-        expr.getBody() = request.getRouteHandler() and
-        bodyParser.producesUserControlledObjects() and
-        bodyParser.flowsToExpr(expr.getAMatchingAncestor())
+      exists(ExpressLibraries::BodyParser bodyParser |
+        Routing::getNode(request.getRouteHandler()).isGuardedBy(bodyParser) and
+        bodyParser.producesUserControlledObjects()
      )
      or
      // If we can't find the middlewares for the route handler,